Tue August 7, 2012

How His Life Was Hacked In The Cloud

I spent some time at the Defcon and Black Hat conferences in Las Vegas over the past few weeks listening to hackers describe the myriad security holes and flaws in some of the most popular products and applications that roam free in the online world.

While this experience made me nervous, so far at least I have fared better than writer Mat Honan.

In just one hour, he says, "my entire digital life was destroyed." First, his Google account was taken over and deleted, then his Twitter feed was used to broadcast a racist and homophobic tirade. Then his Apple ID was hacked and the attackers used it to erase all the data on his iPhone, iPad and MacBook. He lost all the photos of his one-year-old daughter.

Yikes.

The story, which he detailed at Wired, is interesting and disturbing because it exposes how all the complicated and infuriating security procedures at different companies can be used in concert to break into accounts. Amazon exposed the last four digits of Honan's credit card number. That was enough information to allow the hackers to trick Apple's customer service team into allowing them into Honan's account.

Honan wrote:

"Apple tech support gave the hackers access to my iCloud account. Amazon tech support gave them the ability to see a piece of information — a partial credit card number — that Apple used to release information. In short, the very four digits that Amazon considers unimportant enough to display in the clear on the web are precisely the same ones that Apple considers secure enough to perform identity verification."

But this cautionary tale is about more than particular problems with corporate logins and how they can be leveraged. It's really about the cloud and what happens when all of your data is stored offsite in a remote server you don't own.

Apple, Google, Microsoft and Amazon are all pushing cloud services aggressively. And soon, whether you really want it or not, much of your data is likely to live in the cloud — just like Honan's did.

And if you don't believe Honan that the cloud could create havoc — how about Steve Wozniak? Woz warned an audience in Washington, D.C., this weekend.

"I really worry about everything going to the cloud," he said. "I think it's going to be horrendous. I think there are going to be a lot of horrible problems in the next five years."

He added: "With the cloud, you don't own anything. You already signed it away" through the legalistic terms of service with a cloud provider that computer users must agree to.

"I want to feel that I own things," Wozniak said. "A lot of people feel, 'Oh, everything is really on my computer,' but I say the more we transfer everything onto the web, onto the cloud, the less we're going to have control over it."

Update 9:16 p.m. ET: Amazon has reportedly updated its security procedures so it no longer will allow users to change their email address or a credit card number using only a current email, address and name. And Apple has ordered its support staff to immediately stop processing phoned requests to change AppleID passwords, Wired reported.